This policy explains how MetaGuard Mobitech Pvt. Ltd. and MemoFaceAI collect, use, store, and protect personal data — including biometric data — across our products and services.
Introduction
MetaGuard Mobitech Pvt. Ltd. ("MetaGuard", "we", "us", or "our") operates the MemoFaceAI platform, including the web application at memofaceai.com, the Android and iOS or iPad device mobile application, on-premise hardware integrations, and all associated APIs and services (collectively, the "Services").
This Privacy Policy describes how we collect, use, disclose, and safeguard personal information — including sensitive personal data and biometric data — when you or your organisation uses our Services. It applies to:
- Employees and workers whose attendance is recorded by MemoFaceAI on behalf of an employer ("End Users");
- Administrators, HR managers, and other authorised personnel who access the MemoFaceAI dashboard ("Operators");
- Students, faculty, and institutional staff using MemoFaceAI in educational settings;
- Visitors to our website and individuals who contact us for sales or support.
Important distinction: In most deployments, MemoFaceAI acts as a data processor on behalf of the customer organisation (the data controller). The employer or institution determines the purposes for which employee or student data is used. We process that data only on their instruction and in accordance with our Data Processing Agreement (DPA).
Please read this policy carefully. By using the Services, you acknowledge that you have read and understood it. If you do not agree with our practices, please discontinue use of the Services and contact your employer or institution to understand their data practices.
Who We Are
MetaGuard Mobitech Pvt. Ltd. is a company incorporated under the Companies Act, 2013 in India, with its registered office in Gurgaon, Haryana. MemoFaceAI is our flagship AI-powered workforce intelligence product.
| Detail | Information |
|---|---|
| Company | MetaGuard Mobitech Pvt. Ltd. |
| Product | MemoFaceAI (memofaceai.com) |
| Registered office | Gurgaon, Haryana, India |
| CIN | Available on request |
| Data Controller contact | privacy@metaguard.in |
| DPO contact | Loveneesh Bansal — loveneesh@metaguard.in |
Data We Collect
We collect different categories of personal data depending on the role of the individual and the Services being used.
3.1 Data provided by customer organisations
Your employer or institution provides us with data required to set up the Services. This may include:
- Full name, employee or student ID, department, and designation;
- Contact details including email address and mobile number (used for notifications and alerts);
- Employment or enrolment status, shift assignments, and leave records;
- Payroll-relevant data such as working hours, overtime, and deductions.
3.2 Data collected automatically by the Services
- Attendance records: Timestamps of check-in and check-out events, matched to enrolled individuals;
- Location data: Where mobile check-in or geo-fencing features are enabled by the employer, approximate GPS coordinates at the time of check-in;
- Device data: Device model, OS version, and app version when using the mobile application;
- Log data: Server logs, IP addresses, access timestamps, and API usage for security and debugging.
3.3 Data collected from website visitors
- Contact form submissions (name, email, company, message);
- Demo booking information;
- Newsletter subscriptions;
- Analytics data via cookies (see Section 11).
We do not sell personal data. MemoFaceAI has never sold, and will never sell, personal data of employees, students, or end users to third parties for advertising, profiling, or any commercial purpose not directly related to providing the Services.
Biometric Data — Special Category
Biometric data is sensitive personal data. We treat facial recognition templates and liveness-detection data with the highest level of care, applying additional safeguards beyond those applied to general personal data.
What biometric data we collect
- Facial geometry templates: A mathematical representation of the unique geometric features of an individual's face, generated from an enrolment photograph or video frame. We do not store raw photographs after template generation unless the customer organisation explicitly enables photo-log features.
- Liveness signals: Infrared or depth signals used to distinguish a live person from a photograph or mask. These are processed in real-time and not stored as an identifiable record.
How biometric data is stored
- Facial templates are stored as encrypted mathematical vectors, not as photographs. The template cannot be used to reconstruct a recognisable image of the individual.
- Templates are encrypted at rest using AES-256 and in transit using TLS 1.3.
- In on-premise deployments, biometric templates remain on the customer's own hardware and never leave their network.
- In cloud-hosted deployments, templates are stored in isolated, access-controlled storage with no cross-customer data access.
Consent for biometric data
Under India's Digital Personal Data Protection Act, 2023 (DPDPA) and applicable state-level regulations, collection of biometric data requires explicit informed consent from each individual. The data controller (your employer or institution) is responsible for obtaining this consent prior to enrolment. We provide a standard PDPA-compliant consent form template. Customers confirm in our Data Processing Agreement that valid consent has been obtained before enrolling any individual.
Biometric data retention
Biometric templates are deleted within 30 days of the termination of a customer's contract, or immediately upon a verified deletion request from the data controller. Templates for individuals who leave an organisation are deleted within 7 days of de-enrolment unless the customer organisation retains them under their own legal obligation.
How We Use Personal Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Attendance verification and recording | Biometric template, timestamp, device data | Contract / Legitimate interest |
| Payroll processing and HRMS sync | Attendance records, working hours, OT data | Contract |
| Workforce analytics and reporting | Aggregated attendance data (anonymised where possible) | Legitimate interest |
| Compliance reporting (NABH, UGC, Factories Act etc.) | Attendance records, shift logs | Legal obligation |
| Security and fraud prevention | Liveness data, IP logs, access logs | Legitimate interest |
| Product improvement (aggregated, anonymised) | De-identified usage data and model performance metrics | Legitimate interest |
| Customer support and onboarding | Contact details, support ticket content | Contract |
| Marketing communications (opt-in only) | Email address, name, industry | Consent |
We do not use biometric data to train general-purpose AI models or for any purpose beyond the specific attendance, security, and compliance functions described above.
Legal Basis for Processing
We process personal data under the following legal bases as applicable under the Digital Personal Data Protection Act, 2023 (DPDPA), and where applicable, the General Data Protection Regulation (GDPR) for operations involving data subjects in the EU or EEA:
- Consent: For biometric enrolment, marketing communications, and any non-essential data collection. Consent is freely given, specific, informed, and revocable.
- Contract: For data processing necessary to provide the Services contracted by your employer or institution, including attendance recording and payroll sync.
- Legal obligation: Where we are required to process or retain data to comply with applicable law, such as the Factories Act, 1948, or EPF/ESI regulations.
- Legitimate interest: For security monitoring, fraud prevention, service improvement, and internal analytics, where these interests are not overridden by the rights and freedoms of individuals.
Data Sharing and Disclosure
We do not share personal data with third parties except in the following circumstances:
7.1 With your employer or institution (the data controller)
Attendance records, reports, and analytics are shared with the customer organisation as the primary purpose of the Services. The customer organisation controls what data their authorised users can access.
7.2 With integrated HRMS and payroll providers
Where the customer organisation has enabled payroll integrations (e.g. Greythr, Keka, Zoho People, SAP HCM, Darwinbox, BambooHR), attendance data is transmitted to those systems as instructed by the customer. These integrations are governed by the customer's agreements with those providers.
7.3 With sub-processors and infrastructure providers
We use the following categories of sub-processors to deliver our Services:
- Cloud infrastructure (servers, databases, storage) — India-based and GDPR-compliant regions;
- Email delivery and notification services;
- Analytics and monitoring tools (used on anonymised / aggregated data only);
- Security and DDoS protection services.
A full list of sub-processors is available on request from privacy@metaguard.in. We maintain Data Processing Agreements with all sub-processors.
7.4 Legal requirements
We may disclose personal data if required by law, court order, or government authority, provided that we notify the relevant data controller unless prohibited from doing so by law.
7.5 Business transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will notify affected customers and provide an opportunity to request deletion prior to any such transfer where technically feasible.
Data Retention
| Data type | Retention period | Basis |
|---|---|---|
| Biometric templates | Until de-enrolment or contract termination + 30 days | DPDPA / Contractual |
| Attendance records | As configured by customer (default: 5 years) | Labour law compliance |
| Payroll-sync logs | 7 years (as required by Income Tax Act) | Legal obligation |
| Access and security logs | 12 months rolling | Security / Legitimate interest |
| Support tickets | 3 years from resolution | Contractual |
| Marketing contacts (opted in) | Until unsubscribe or 3 years of inactivity | Consent |
| Website analytics | 26 months (anonymised) | Legitimate interest |
Where a customer deletes their account or terminates the contract, all personal data (including biometric templates and attendance records) is deleted within 30 days, unless retention is required by applicable law, in which case data is retained only for the minimum period required and in an access-restricted archive.
Security Measures
We implement technical and organisational security measures appropriate to the sensitivity of the data we process. Key measures include:
- Encryption at rest: AES-256 encryption for all stored personal and biometric data;
- Encryption in transit: TLS 1.3 for all data transmitted between clients, servers, and integrated systems;
- Access control: Role-based access control (RBAC) with principle of least privilege. MetaGuard staff can access customer data only under explicit authorisation and with audit logging;
- Network security: Firewall, intrusion detection, and DDoS protection on all production infrastructure;
- Vulnerability management: Regular security assessments and penetration testing by qualified third parties;
- Incident response: A documented incident response plan with a target of notifying affected customers within 72 hours of confirmed personal data breaches;
- Staff training: Mandatory data protection and security training for all employees with access to personal data.
To report a security vulnerability or suspected data breach, contact our security team immediately at security@metaguard.in. We have a responsible disclosure programme and will acknowledge reports within 24 hours.
Your Data Rights
Subject to applicable law and the role of MetaGuard as data processor or data controller in a given context, individuals may have the following rights regarding their personal data:
Request a copy of personal data we hold about you, including attendance records and the existence of any biometric template.
Request correction of inaccurate personal data. Attendance corrections are typically managed by your employer's HR team via the MemoFaceAI dashboard.
Request deletion of your personal data, including biometric templates. Note that your employer may be obligated to retain certain records for a minimum statutory period.
Object to processing based on legitimate interest. Note that in employment contexts, this right may be subject to your employer's operational requirements.
Request your attendance records in a structured, machine-readable format (CSV or JSON). Available to individual employees on written request.
Request that we restrict processing while a complaint or correction request is being assessed.
Because MemoFaceAI typically acts as a data processor on behalf of your employer or institution, rights requests relating to your employment attendance data should first be directed to your HR department. We will cooperate with and support your employer in responding to valid rights requests within the timescales required by applicable law (typically 30 days).
For rights requests relating to data collected directly by MetaGuard (e.g. website visitor data, marketing emails), contact us at privacy@metaguard.in.
Cookies and Tracking
Our website (memofaceai.com and metaguard.in) uses cookies and similar technologies. The MemoFaceAI application platform uses only strictly necessary session cookies to maintain authenticated sessions.
| Cookie type | Purpose | Opt-out? |
|---|---|---|
| Strictly necessary | Session authentication, CSRF protection, load balancing | No — required for the service to function |
| Analytics | Anonymised page views and navigation patterns (no cross-site tracking) | Yes — via cookie banner |
| Preferences | Remembering language, region, and theme preferences | Yes — via cookie banner |
| Marketing | None — we do not run retargeting pixels or advertising cookies | N/A |
You can manage cookie preferences at any time via the cookie settings link in the footer of our website, or by configuring your browser to block or delete cookies. Note that disabling analytics cookies does not affect the core functionality of the MemoFaceAI platform.
Children's Privacy
MemoFaceAI is used in school and educational settings where individuals under the age of 18 may be enrolled. In these contexts:
- The school or educational institution acts as the data controller and is responsible for obtaining appropriate parental or guardian consent prior to enrolment of any student under 18;
- We provide a student-specific consent form template designed for parental consent collection;
- Student data is subject to all the protections in this policy, plus additional restrictions: student data is never used for any commercial purpose, is never shared outside the institution except as strictly required for compliance reporting, and is deleted promptly upon a student leaving the institution;
- Parents or guardians may request access to, correction of, or deletion of their child's data by contacting the school's data protection officer, who will coordinate with MetaGuard Mobitech.
MetaGuard Mobitech does not knowingly collect personal data from children under 13 through direct-to-consumer channels (e.g. via our website). If you believe a child has submitted personal data to us outside of an institutional deployment, please contact privacy@metaguard.in immediately.
International Data Transfers
MetaGuard Mobitech's primary data infrastructure is hosted in India. For customers in the MENA region (Middle East and North Africa), data is hosted in MENA-regional cloud infrastructure to support data residency requirements.
Where data is transferred internationally — for example, to sub-processors with infrastructure outside India — we ensure that appropriate safeguards are in place, including:
- Standard contractual clauses (SCCs) where required for transfers to EEA data subjects;
- Adequacy decisions, binding corporate rules, or equivalent safeguards as recognised under the DPDPA;
- Data Processing Agreements with all sub-processors that include applicable cross-border transfer provisions.
Customers requiring specific data residency guarantees (e.g. data never leaving India) should opt for our on-premise deployment model or contact us to discuss dedicated regional hosting arrangements.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or best practices. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page;
- Notify customer organisations by email at least 30 days before changes take effect;
- Display a notice in the MemoFaceAI dashboard for administrators;
- For changes to how biometric data is processed, seek renewed consent where required by law.
We maintain an archive of previous versions of this policy. To request a previous version, email privacy@metaguard.in.
Continued use of the Services after the effective date of a revised policy constitutes acceptance of the revised terms. If you do not agree to material changes, you (or your organisation) may terminate use of the Services in accordance with your contract.
Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us through one of the channels below. We aim to acknowledge all enquiries within 2 business days and resolve them within 30 days.